A new Vidar malware campaign has been detected, utilizing compromised PEC mailboxes to spread the malware among Italian users. This campaign introduces new techniques to conceal the URLs for downloading the payload, complicating detection and prevention efforts. Affected: PEC mailboxes
Keypoints :
- New Vidar malware campaign identified on January 6, 2025.
- Cybercriminals are exploiting compromised PEC mailboxes.
- Utilization of 148 second-level domains with a Domain Generation Algorithm (DGA).
- URLs initially inactive, activating later to evade detection.
- Enhanced obfuscation techniques used in JavaScript files.
- IP addresses, domains, and sender mailboxes are rotated every 2-3 minutes.
- Countermeasures have been implemented with the support of PEC Managers.
- IoCs related to the campaign have been shared via CERT-AGID’s IoC Feed.
- Users are advised to be cautious with PEC communications containing suspicious links.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: The malware uses HTTP/S for communication.
- T1070.001 – Indicator Removal on Host: The malware employs techniques to hide its presence.
- T1027 – Obfuscated Files or Information: JavaScript file obfuscation is used to complicate analysis.
- T1583.001 – Acquire Infrastructure: Utilization of DGA for domain generation.
Indicator of Compromise :
- [domain] compromised.pec.mailbox
- [domain] example.dga.domain
- [url] http://malicious.link/download
- [email] malware@cert-agid.gov.it
- [others ioc] IoCs shared via CERT-AGID’s IoC Feed
- Check the article for all found IoCs.
Full Research: https://cert-agid.gov.it/news/pec-compromesse-vidar-sfrutta-un-nuovo-metodo-di-offuscamento/